Nfc-chip reader

ABSTRACT

Near field communication (NFC) is used for banking, access control or identification. The NFC-chip contains data verifying the identity of the holder, which is read by an NFC-chip reader. NFC-chip readers are now often online or stand-alone terminals, which may be trusted or untrusted. Trusted terminals may require a communication link to a certificate server. Untrusted terminals require a link to a server that performs the authentication steps and may require a link to a certificate server. A disadvantage of conventional NFC-chips and readers is that it can be challenging to position NFC-chip readers at remote or other arbitrary locations. A solution is found in a method for communication with an NFC-chip of a user identification document, by which a terminal obtains protected data from the NFC-chip, including the step of verifying the integrity of the protected data; and a server verifies genuineness of the NFC-chip communicating via the terminal.

FIELD OF THE INVENTION

The invention relates to the field of communication with NFC-chips. Theinvention further relates to the field of terminals communicating withNFC-chips. The invention further relates to the field of serverscommunicating with NFC-chips. The invention further relates to the fieldof computer program products for communicating with NFC-chips.

BACKGROUND OF THE INVENTION

Near field communication (NFC) is used for banking, access control oridentification. Examples of user identification documents containing anNFC-chip are bank cards, credit cards, access cards, driving licences,passports, ID cards. The NFC-chip contains data verifying the identityof the holder. The data on an NFC-chip may be read by an NFC-chipreader, such as a bank terminal, boarder control gate, access controlledgate or hand terminal.

The data on the NFC-chip typically contains private information, whichshould only be accessible to NFC-chip readers having permission to readthis information. Several checks could be in place to verify thepermission of the NFC-chip reader. One of those checks is that theNFC-chip reader has to be able to acquire a key based on an opticalidentifier printed on the user identification document such as, forexample, the machine-readable zone (MRZ), a Card Access Number (CAN) ora bar- or QR code from the user identification document. This identifiercontains a key necessary for unlocking the data on the NFC-chip.

The other way around, the user identification document is also checkedby the NFC-chip reader. The following sequence typically unfolds:

-   -   visually obtain key from document;    -   gain access to protected data;    -   active authentication or chip authentication;    -   read protected data with key; and    -   passive authentication.

The correctness of the protected data is verified during passiveauthentication. Part of the protected data contains a digital signature.The digital signature is based on the rest of the protected data and acertificate from a certifying authority. The NFC-chip reader uses thisdigital signature to verify the correctness of the protected dataagainst a list of trusted certificates of the issuing countries.

After the correctness of the protected data is verified, active or chipauthentication verifies that the original NFC-chip is communicating withthe NFC-chip reader and not a clone of the NFC-chip. Thus, active orchip authentication prevents cloning of the NFC-chip. Active or chipauthentication is based on a public-private key combination on theNFC-chip and a challenge from the NFC-chip reader requiring the correctresponse to the NFC-chip reader.

Further readings on communication with a user identification documentcontaining a NFC-chip may be found in ISO/IEC 18013-3, part 3, firstedition 2009-03-01; DOC9303, Machine Readable Travel Documents, seventhedition 2015 and TR-03110-1 Advanced Security Mechanisms for MachineReadable Travel Documents and eIDAS Token, version 2.20, 26 Feb. 2015.

A development is seen wherein the NFC-chip reader evolves towards asystem comprising an online or stand-alone terminal. For example, asmartphone may be used as NFC-chip reader. Depending on the requirementsand environment wherein the terminal is operated, this terminal may betrusted or untrusted. If the terminal is trusted, the terminal mayrequire a communication link to a certificate server or may store thecertificates locally. If the terminal is untrusted, the terminalrequires a link to a server performing all the authentication steps.This server in turn may require a link to a certificate server or maystore the certificates locally.

A disadvantage of the conventional NFC-chips and NFC-chip readers isthat it can be challenging to position NFC-chip readers at arbitrarylocations, such as a remote location. A known solution may be to use asmartphone as NFC-chip reader. Although this is a solution to thearbitrary location problem, when the smartphone is used as NFC-chipreader, complex local security measures are required to protect thesmartphone against hacking or other security threats, making the use ofthe smartphone as NFC-chip reader complex. Thus, a trusted randomlylocatable terminal has the disadvantage of requiring complex securitymeasures.

Another known solution is to have an NFC-chip transceiver and a trustedserver with a network link in between and located at a distance from thetransceiver. It is known that the protocol specification defining thecommunication between the NFC-chip and NFC-chip reader allows only forsmall timeouts. As the server is located at a distance from thetransceiver, a high speed, low jitter and low round trip time linkbetween the NFC-chip transceiver and the server is required to meet thetimeout requirements. Thus, an NFC-chip reader having an NFC-chiptransceiver and a trusted server has the disadvantage of requiring ahigh-quality and thus complex network link between the NFC-chiptransceiver and the trusted server.

SUMMARY OF THE INVENTION

An objective of the invention is to provide a more robust NFC-chipreader.

According to a first aspect of the invention, a method for communicationwith an NFC-chip of a user identification document, comprising the stepsof: a terminal obtaining protected data from the NFC-chip, whereinobtaining comprises the step of verifying the integrity of the protecteddata; and a server verifying genuineness of the NFC-chip communicatingvia the terminal.

It is an insight of the inventor that active authentication and passiveauthentication may be split to obtain a terminal, which is trusted to doaccess control and clone-detection protocol execution, but untrusted foractive authentication and passive authentication.

The method according to the current invention provides the advantage ofsplitting the NFC-reader in a partially trusted terminal and a fullytrusted server. Thus, the method according to the invention allowseither for a simpler implementation of local security measures or for asimpler link between terminal and server or both. Hence, the method orcommunication with an NFC-chip of a user identification documentaccording to the current invention allows for a simpler system.

As the terminal is partially trusted, the terminal may be a hand-helddevice, such as a smartphone, with minimal or no extra securitymeasures.

In an embodiment of the method, the step of verifying genuineness isinitiated before completing the obtaining step.

It is an insight of the inventor that the active authentication iscomputational expensive and relative to the other communication stepsrequires providing considerable power to the NFC-chip. Furthermore, itis an insight that the radio on the NFC-chip also requires considerablepower. Thus, if the active authentication is delayed, the radio of theNFC-chip may deplete its energy source and consequently activeauthentication will fail.

It is a further insight that steps for active authentication may alreadybe undertaken before passive authentication or reading protected datahas completed.

The method according to this embodiment provides the advantage ofminimizing the influence of jitter and/or delay on a network eitherbetween the chip and terminal or between the terminal and the server.This in turn prevents any disruptions to occur between the NFC-chip andterminal while communicating. These disruptions may be protocol timeoutsor energy source depletion. Hence, the reliability of the communicationbetween the NFC-chip and the terminal is enhanced, without compromisingthe reliability of the verification for unreliable terminals.

In an embodiment of the method, the step of obtaining protected datacomprises the steps of: the terminal obtaining an access key from theuser identification document; and the terminal using the access key foractivating the NFC-chip for transferring the protected data to theterminal.

In an embodiment of the method, the verifying genuineness step comprisesthe steps of: the terminal receiving a challenge from the server; theterminal transmitting the challenge to the NFC-chip; and the terminalforwarding the challenge response from the NFC-chip to the server;wherein the receiving step is independent in time of the transmittingstep. This method allows for the terminal to have a storage, such as aqueue, of challenges. This storage may be used to directly transmit achallenge from the terminal and to the NFC-chip when the communicationchannel between the NFC-chip and the terminal is available. Having thechallenges available minimizes the influences of jitter and delays in anetwork connected to the terminal. Typically, the challenge is sentdirectly after reading the protected data or completing passiveauthentication communication between NFC-chip and terminal. This type ofuse of a challenge may be labelled active authentication.

In a further embodiment of the method, each challenge is associated witha time-to-live (TTL) period. The TTL period determines how long achallenge is valid, providing the advantage of improved security as thechallenge may not be used after a certain time period.

In a further embodiment of the method, each challenge is associated witha session identifier. The session identifier simplifies identificationof the challenge, such as in a database, and prevents reuse of thechallenge.

In an embodiment of method, the verifying genuineness step comprises thesteps of: the terminal forwarding a public key from a keypair on theNFC-chip to the server for basing a challenge on the public key; aterminal receiving the challenge and a public key from a server keypairfrom the server; the terminal transmitting the challenge and that serverpublic key to the NFC-chip; and the terminal forwarding a response (tothe challenge) from the NFC-chip to the server, wherein the response (tothe challenge) is based on a shared key based on the server public keyand a chip private key of the chip's keypair. As this sequence of stepsrequires the use of a public key, these steps may be initiated directlyafter the terminal receives the chip's public key from the NFC-chip. Asthe chip's public key is typically received before reading the protecteddata is completed, any influence of the network between the terminal andserver is minimized or even eliminated. This type of use of a challengemay be labelled chip authentication.

In a further embodiment of the method, the challenge is an encryptedcommand. The command is encrypted by the server with the shared secretshared between the terminal and the NFC-chip. The shared secret is basedon the public-private key pair of the chip and the public-private keypair of the server. Typically, this shared secret is based on aDiffie-Hellman or on a EIGamal key exchange scheme. Typically, thepublic-private key pair of the chip is static. Typically, thepublic-private key pair of the server is ephemeral. As the command isencrypted, only the NFC-chip may decrypt the command. In response, theNFC-chip encrypts the command response with the shared secret. Theencrypted command response can only be decrypted by the server by theserver. Further, the server may evaluate the validity of the commandresponse.

In an embodiment of the current invention, the terminal and server maybe combined in one physical device. This providing the advantage ofminimizing the influence of jitter and/or delay on a network eitherbetween the terminal and the server or between terminal or server and acertificate server.

According to another aspect of the invention, a method for a terminalcommunicating with an NFC-chip of a user identification document,comprising the steps of: obtaining protected data from the NFC-chip; andforwarding communication between the NFC-chip and a server for verifyinggenuineness of the NFC-chip. As the terminal executing the method doesnot verify the genuineness of the NFC-chip, the implementation of theterminal becomes simpler. The method according to the current inventionprovides the advantages as described above. The terminal may receive asignal from the server comprising the result of the genuineness test.

In an embodiment of the current invention, the step of forwarding isinitiated before completing the obtaining step. It will be obvious tothe reader that obtaining the protected data may comprise the step ofreading the protected data and verifying the protected data, such asauthenticating the protected data with a digital signature. The methodfor the terminal minimizes the influence of jitter and/or delay on anetwork either between the terminal and the server or between terminalor server and a certificate server. The method according to the currentinvention provides the advantages as described above.

In an embodiment of the current invention, the step of obtainingprotected data comprises the steps of: obtaining an access key from theuser identification document; and using the access key for activatingthe NFC-chip for transferring the protected data. This provides theadvantage of restricting access to protected data on the NFC-chip withan access key. Preferably, this key is available via a machine-readablezone (MRZ) on the user identification document. More preferably, thisMRZ is an inner page of the user identification document.

In an embodiment of the current invention, the forwarding step comprisesthe steps of: receiving a challenge from the server; transmitting thechallenge to the NFC-chip; and forwarding the challenge response fromthe NFC-chip to the server; wherein the receiving step is independent intime of the transmitting step. This method for the terminal allows forthe terminal to have a storage, such as a queue, of challenges,providing the advantages as described above. In a further embodiment ofthe method, each challenge is associated with a time-to-live (TTL)period. In a further embodiment of the method, each challenge isassociated with a session identifier.

In an embodiment of the current invention, the forwarding step comprisesthe steps of: forwarding a public chip key from a key chip pair on theNFC-chip to the server for basing a challenge on the public chip key;receiving the challenge and a public server key from a key server pairfrom the server; transmitting the challenge and the public server key tothe NFC-chip; and forwarding the challenge response from the NFC-chip tothe server, wherein the challenge response is based on a shared keybased on the public server key and a private chip key of the chip pair.This embodiment provides the same advantages as described above. In afurther embodiment of the method, the challenge is an encrypted command.

According to another aspect of the invention, a method for a serververifying genuineness of a user identification document comprising anNFC-chip, comprising the steps of: tracking the challenges provided bythe server to a terminal communicating with the NFC-chip; receiving achallenge response to a challenge from the server from the terminal;verifying genuineness of the NFC-chip based on the challenge responseand the challenge; and providing newly generated challenges to theterminal based on the tracking step. The method according to the currentinvention provides the advantages as described above.

In an embodiment of the current invention, the providing and trackingsteps are independent of the receiving and verifying steps. Thisprovides the advantage of relaxing the requirements for either localsecurity measures or link between terminal and server or both. Due tothis relaxing, protocol timeouts and/or energy depletion will happenless frequently. Hence, the reliability of the communication between theNFC-chip and the terminal is enhanced and thus the verification. Thistype of use of a challenge may be labelled active authentication.

According to another aspect of the invention, a method for a serververifying genuineness of a user identification document comprising anNFC-chip, comprising the steps of: receiving a copy of protected data onthe NFC-chip; verifying the protected data with a digital signaturecomprised in the protected data; receiving a public chip key from a keychip pair on the NFC-chip for basing a challenge on the public chip key;transmitting the challenge and a public server key from a key serverpair from the server; and receiving a challenge response from theNFC-chip, wherein the challenge response is based on a shared key basedon the public server key and a private chip key of the chip pair,wherein the step of receiving the public chip key is initiated beforethe step of verifying the protected data. This provides the advantage ofrelaxing the requirements for either local security measures or linkbetween terminal and server or both. Due to this relaxing, protocoltimeouts and/or energy depletion will happen less frequently. Hence, thereliability of the communication between the NFC-chip and the terminalis enhanced and thus the verification. This type of use of a challengemay be labelled chip authentication.

According to another aspect of the invention, a terminal comprising: acommunication unit configured for communicating with a server verifyinggenuineness of an NFC-chip of a user identification document; atransceiver configured for communicating with the NFC-chip; andprocessing means configured for obtaining protected data of the NFC-chipand forwarding communication between the NFC-chip and the server,wherein communication is forwarded before obtaining the protected datais completed. The terminal according to the current invention providesthe advantages as described above. The terminal may be configuredfurther to execute any of the steps of the methods described above.

In an embodiment of the current invention, a terminal comprises achallenge storage configured for temporarily storing a challenge on theterminal, which challenge is used for determining the genuineness of theNFC-chip. The storage may be a queue. The terminal according to thecurrent invention provides the advantages as described above.

According to another aspect of the invention, a server comprises achallenge storage configured for tracking challenges associated with aterminal; a verification unit configured for verifying genuineness of anNFC-chip based on a challenge response and the associated challenge fromthe challenge storage. The storage may be a queue. The challenges maythus be generated before there is a need for during the communicationbetween the NFC-chip and the terminal. The challenge storage may providechallenges independent of the verification unit. The challenge storagemay generate challenges, at least upon generation, associated with aterminal, which challenge is not associated with an NFC-chip orcommunication between an NFC-chip and a terminal. The server accordingto the current invention provides the advantages as described above. Theserver may further be configured to execute any of the steps of themethods described above.

According to another aspect of the invention, a server comprises aprotected data storage configured for storing a received copy ofprotected data on an NFC-chip of a user identification document; asignature verification unit configured for verifying the protected datausing a digital signature comprised in the protected data; a challengegenerator configured for generating a challenge based on a public chipkey from a key chip pair on the NFC-chip; a verification unit configuredfor verifying genuineness of the NFC-chip based on a challenge responseand the associated challenge. The server according to the currentinvention provides the advantages as described above. The server mayfurther be configured to execute any of the steps of the methodsdescribed above.

According to another aspect of the invention, a computer program productcomprises a computer readable medium having computer readable codeembodied therein, the computer readable code being configured such that,on execution by a suitable computer or processor, the computer orprocessor is caused to perform the method of any of the precedingembodiments. This may be a method for a terminal, a server or acombination.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention will be apparent from and elucidated further withreference to the embodiments described by way of example in thefollowing description and with reference to the accompanying drawings,in which:

FIG. 1 schematically shows a sequence diagram according to the priorart;

FIG. 2 schematically shows a sequence diagram according to an embodimentof the current invention;

FIG. 3 schematically shows a sequence diagram according to an embodimentof the current invention;

FIG. 4 schematically shows a sequence diagram according to an embodimentof the current invention;

FIG. 5 schematically shows a method for a terminal according to anembodiment of the invention;

FIG. 6a schematically shows a method for a server according to a firstembodiment of the invention;

FIG. 6b schematically shows a method for a server according to a secondembodiment of the invention;

FIG. 7 schematically shows a terminal according to an embodiment of theinvention;

FIG. 8a schematically shows a server according to a first embodiment ofthe invention;

FIG. 8b schematically shows a server according to a second embodiment ofthe invention;

FIG. 9 schematically shows an embodiment of a computer program product,computer readable medium and/or non-transitory computer readable storagemedium according to the invention.

The figures are purely diagrammatic and not drawn to scale. In thefigures, elements which correspond to elements already described mayhave the same reference numerals.

LIST OF REFERENCE NUMERALS

100 sequence diagram according to the prior art 101 NFC-chip readeraccording to the prior art 110 initiate reading protected datacommunication 112 completion reading protected data communication 120generating challenge 130 communication for clone detection 200 secondsequence diagram 201 NFC-chip 202 terminal 203 server 210 initiatereading protected data communication 212 completion reading protecteddata communication 230, 240 clone detection communication 300 thirdsequence diagram 330 request amount of outstanding challenges 331 replyamount of outstanding challenges 332 request new challenge 333 providenew challenge 340 challenge from terminal to NFC-chip 341 challengeresponse from NFC-chip to terminal 342 challenge response from terminalto server 400 fourth sequence diagram 411 public chip key from NFC-chipto terminal 430 public chip key from terminal to server 431 publicserver key and challenge from server to terminal 440 public server keyand challenge from terminal to NFC-chip 441 challenge response fromNFC-chip to terminal 445 challenge response from terminal to server 446confirmation genuineness NFC-chip 500 method for a terminal 510obtaining protected data 520 forwarding communication 600 method for aserver 610 tracking challenges 615 receiving challenge response 620verifying genuineness 625 providing generated challenge 650 method for aserver 660 receiving protected data 665 verifying protected data 670receiving chip public key 675 transmitting challenge and server publickey 680 receiving challenge response 710 transceiver 715 NFC-chip -terminal communication 720 processing means 725 forwarded communication730 communication unit 750 NFC communication 760 terminal - servercommunication 810 communication unit 815 challenge communication 820challenge storage 825 challenge response 830 verification unit 835associated challenge 861 received protected data 865 protected datastorage 866 protected data 870 signature verification unit 871 publickey NFC-chip 875 challenge generator 8760  challenge transmission 900non-transitory computer readable storage medium 910 writable part 920computer program d101  delay sequence diagram prior art d201  firstdelay second sequence diagram d202  second delay second sequence diagramd301  first delay third sequence diagram d302  second delay thirdsequence diagram d401  first delay fourth sequence diagram d402  seconddelay fourth sequence diagram

DETAILED DESCRIPTION OF EXEMPLARY EMBODIMENTS

The following figures may detail different embodiments.

FIG. 1 schematically shows a sequence diagram 100 according to the priorart. In a sequence diagram, time progresses from top to bottom. Thesequence diagram according to the prior art comprises, as actors, anNFC-chip 201 and an NFC-chip reader 101.

The NFC-chip and NFC-chip reader initiate communication 110 for readingof the protected data of the NFC-chip. The communication continues up tocompletion of the communication 112 reading the protected data of theNFC-chip. After completion of the communication of reading protecteddata, the prior art NFC-chip reader processes the received protecteddata, thereby generating a challenge 120. After generating thechallenge, the challenge and response on the challenge are used forgenuineness verification or clone detection 130.

The generating of the challenge between the completion of thecommunication 112 and the start of the clone detection communication 130causes a delay d101. This delay may disrupt the working of orcommunication to the NFC-chip. For example, the NFC-chip may run out ofenergy due to the relative long delay. As another example, the NFC-chipmay time-out, due to the delay being too long, which will cause aprotocol time-out on the NFC-chip.

FIG. 2 schematically shows a sequence diagram 200 according to anembodiment of the current invention. The sequence diagram comprises anNFC-chip 201, a terminal 202 and a server 201 according to the currentinvention as actors.

The terminal and the NFC-chip communicate wirelessly with each other.This communication is labelled NFC-communication. The terminal initiates210 reading of the protected data from the NFC-chip. The terminalcompletes 212 reading of the protected data from the NFC-chip after sometime. Clone detection communication 230 between the terminal and theserver starts before the reading of the protected data completes 212.Thus, during or even before reading of the protected data from theNFC-chip, the terminal may already start clone detection communication230 with the server. This communication may comprise information fromthe partially received protected data.

After the communication 230 for clone detection between the terminal andthe server, the server communicates 240 with the NFC-chip via theterminal completing the clone detection protocol.

This sequence diagram splits the functionality of the server accordingto the prior art in a terminal and server according to the invention.The terminal is close to the NFC-chip as required by theNFC-communication. The server may be arranged at a distance from theterminal. The network between the server and the terminal may compriseseveral network hobs and several types of network. In a system, set-upaccording to this sequence diagram, the server may be placed at alocation allowing the server to be trusted in a simpler way. Forexample, the server may be located in a server-room under controlledconditions. The server may further be shared serving multiple terminalspreventing the need for a trusted server per terminal. The terminal,close to the NFC-chip, may be untrusted or partially trusted hencerequiring minimal security measures. Hence, the sequence diagramprovides the advantage of simplified communication, such as a simplersequence of communication, with an NFC-chip.

A first delay d201 is defined between the completion of the protecteddata communication 212 and the server communicating with the NFC-chip240. A second delay d202 is defined between the clone detectioncommunication 230 between terminal and the server and the clonedetection communication 240 between the NFC-chip and the server via theterminal. The server may process the communication from the terminalparallel to the terminal communicating with the NFC-chip. The firstdelay d201 is shortened as the second delay d202 in the clone protectionprotocol runs parallel to the first delay. As these delays run parallel,this sequence diagram, defining the behaviour of the terminal and serveraccording to the current invention provide the advantage of minimizingor even preventing the chance on a protocol time-out or the NFC-chiprunning out of energy. Furthermore, the network between may introducejitter, delays, round-trip-delays and loss of data requiringretransmissions. This sequence diagram minimizes these influence byshortening the first delay d201. Hence, communication according to thissequence diagram provides the advantage of increasing the reliability ofthe NFC-communication between the NFC-chip and the terminal.

Access to the data may be protected by an access control. TheNFC-communication may conform to a version of the ICAO Doc 9303 orISO18013 protocol. The access control mechanism may conform to a versionof the BAC or PACE protocol.

FIG. 3 schematically shows a sequence diagram 300 according to anembodiment of the current invention. The sequence diagram 300 is afurther detailing of the sequence diagram 200 in FIG. 2. The sequencediagram comprises an NFC-chip 201, a terminal 202 and a server 201according to the current invention as actors.

The server generates challenges used as seed or start for the clonedetection protocol. Challenges are generated independent of theNFC-chip. Hence, the challenge may be used by any terminal communicatingto any NFC-chip. Therefore, the challenges may already be transferred tothe terminal before or during that the NFC-communication with theNFC-chip starts. Hence, the second delay d302 is independent of anyNFC-communication.

Optionally, the server may request 330 the amount of challenges presenton the terminal. The terminal may reply 331 with the amount ofchallenges present on the terminal from that particular server. Theterminal may have multiple challenges stored for futureNFC-communication. The terminal may have multiple challenges frommultiple servers for future NFC-communication. Alternatively, theterminal may indicate the amount of challenges stored, without a requestfrom the server. Alternatively, the terminal may request 332 for a newchallenge or multiple new challenges from the server. The servergenerates a challenge or challenges and provides 333 this challenge orthese challenges to the terminal. This providing 333 may be done withoutthe server keeping track of the challenges present on the terminal orwith one of the previous mentioned exchanges for managing the amount ofchallenges on the terminal. A challenge present on the terminal and notused before a certain time-out may become obsolete. Multiplecombinations of messages are foreseeable by the skilled person. The oneor more challenges on the terminal may be stored in a storage, such as astack or pipe.

As the challenges are present on the terminal, after the terminal hascompleted reading protected data communication, the challenges may betransmitted from the terminal to the NFC-chip with a first delay d301,which may be minimal. The second delay d302 has no influence on thisdelay. This embodiment provides the advantage of reducing or preventinginfluence of the second delay d302. Furthermore, the terminal issimplified and the server may be in a controlled environment, asdiscussed throughout this application.

FIG. 4 schematically shows a sequence diagram 400 according to anembodiment of the current invention. The sequence diagram 400 is afurther detailing of the sequence diagram 200 in FIG. 2. The sequencediagram comprises an NFC-chip 201, a terminal 202 and a server 201according to the current invention as actors.

The server generates challenges used as seed or start for the clonedetection protocol. The protected data is transferred from the NFC-chipto the terminal during the NFC-communication. The NFC-chip comprises achip key pair. This chip key pair comprises a public chip key and aprivate chip key. The public chip key is part of the protected data andis thus transferred 411 during this communication.

The communication 430 of the public chip key to the server may be seenas the start of the clone detection. This communication may take placebefore the completion 212 of reading protected data, as indicated withthe second delay d402.

The server comprises a server key pair. This server key pair comprises apublic server key and a private server key. Preferably, the servercommunicates 431 the public server key and a challenge to the terminalbefore the completion of reading protected data.

The terminal may transfer 440 the challenge and the public server key tothe NFC-chip as part of the NFC-communication after the completion 212of the transfer of the protected data with a first delay d401. As thesecond delay d402 is preferably completely before the completion 212 ofthe transfer, the second delay does not increase the first delay d401.Thus, the first delay is decreased or minimized.

The NFC-chip responds 441 with a challenge response to the terminal. Theterminal in response communicates 445 the challenge response to theserver. The server may now verify the genuineness of the NFC-chip basedon a shared secret. The shared secret at the server is based on theprivate server key and the public chip key. The shared secret at theNFC-chip is based on the private chip key and the public server key. Theshared secret may be derived with the use of a Diffie-Hellman keyexchange or a Diffie-Hellman key exchange variation.

FIG. 5 schematically shows a method 500 for a terminal according to anembodiment of the invention. The method starts with the step ofobtaining 510 protected data from the NFC-chip. The method continueswith the step of forwarding 520 communication between the NFC-chip and aserver for verifying genuineness of the NFC-chip. This method may beimplemented by a terminal conforming to the communication as specifiedin the sequence diagram of FIG. 2, 3 or 4.

FIG. 6a schematically shows a method for a server 600 according to afirst embodiment of the invention. The method starts with the step oftracking 610 the amount of challenges provided by the server to aterminal communicating with the NFC-chip. The method continues with thestep of receiving 615 a challenge response to a challenge from theserver from the terminal. The method continues with the step ofverifying 620 genuineness of the NFC-chip based on the challengeresponse and the challenge. The method continues with the step ofproviding 625 a newly generated challenge to the terminal based on thetracking step. This method may be implemented by a server conforming tothe communication as specified in the sequence diagram of FIG. 2 or 3.

FIG. 6b schematically shows a method for a server 650 according to asecond embodiment of the invention. The method starts with the step ofreceiving 660 a copy of protected data on the NFC-chip. The methodcontinues with the step of verifying 665 the protected data with adigital signature comprised in the protected data. The method continueswith the step of receiving 670 a public chip key from a key chip pair onthe NFC-chip for basing a challenge on the public chip key. The methodcontinues with the step of transmitting 675 the challenge and a publicserver key from a key server pair from the server. The method continueswith the step of receiving 680 a challenge response from the NFC-chip,wherein the challenge response is based on a shared key based on thepublic server key and a private chip key of the chip pair, wherein thestep of receiving the public chip key is initiated before the step ofverifying the protected data. This method may be implemented by a serverconforming to the communication as specified in the sequence diagram ofFIG. 2 or 4.

Alternatively, the method schematically shown in FIG. 6b may be executedin an alternative order or split in more sub-steps. As an example, themethod may start with the step of partially receiving protected data onthe NFC-chip. The protected data may be received up to and including thepublic chip key 670. The method continues with the step of transmitting675 the challenge and a public server key from a key server pair fromthe server. The method continues with the step of receiving 680 achallenge response from the NFC-chip, wherein the challenge response isbased on a shared key based on the public server key and a private chipkey of the chip pair, wherein the step of receiving the public chip keyis initiated before the step of verifying the protected data. The methodcontinues with the step of receiving 660 the rest of the protected dataon the NFC-chip. The method continues with the step of verifying 665 theprotected data with a digital signature comprised in the protected data.This method may be implemented by a server conforming or partlyconforming to the communication as specified in the sequence diagram ofFIG. 2 or 4.

FIG. 7 schematically shows a terminal 202 according to an embodiment ofthe invention. The terminal comprises a communication unit 730, atransceiver 710 and processing means 720.

The communication unit is configured for communicating 760 with a serververifying genuineness of an NFC-chip of a user identification document.The transceiver is configured for communicating 750 with the NFC-chip.This communication may be labelled NFC-communication. The processingmeans are configured for obtaining protected data of the NFC-chip viathe transceiver. Processing means are configured for obtaining protecteddata of the NFC-chip and forwarding communication between the NFC-chipand the server, wherein communication is forwarded before the protecteddata is obtained.

This terminal may conform to the communication as specified in thesequence diagram of FIG. 2, 3 or 4 or in the method of FIG. 5.

FIG. 8a schematically shows a server 203 according to a first embodimentof the invention. The server comprises a communication unit 810, achallenge storage 820 and a verification unit 830.

The communication unit is configured for communicating 760 with aterminal providing data for verifying genuineness of an NFC-chip of auser identification document. The challenge storage is configured fortracking challenges associated with a terminal. The challenge storagecommunicates 815 information concerning the challenges with thecommunication unit. This communication may comprise data necessary formessages between terminal and server as specified in FIG. 3. Thechallenge storage may comprise a challenge generator and challengemanagement unit, which are not shown in the figure. The verificationunit is configured for verifying genuineness of an NFC-chip based on achallenge response 825 from the communication unit and the associatedchallenge 835 from the challenge storage.

This server may conform to the communication as specified in thesequence diagram of FIG. 2 or 3 or in the method of FIG. 6 a.

FIG. 8b schematically shows a server 203 according to a secondembodiment of the invention. The server comprises a communication unit810, a protected data storage 865, a signature verification unit 870, achallenge generator 875 and a verification unit 830.

The communication unit is configured for communicating 760 with aterminal providing data for verifying genuineness of an NFC-chip of auser identification document. The protected data storage is configuredfor storing a received 861 copy of protected data on an NFC-chip of auser identification document. The signature verification unit isconfigured for verifying the protected data using a digital signaturecomprised in the protected data. The verification unit receives theprotected data from the protected data storage. The verification unitmay receive the digital signature from an external certificate server.This certificate server may be connected to the network also carryingthe terminal-server communication 760 or may be connected to the servervia a separate communication network. The digital signatures may also bekept local to the server.

The server generates challenges used as seed or start for the clonedetection protocol. The protected data is transferred from the NFC-chipto the terminal during the NFC-communication.

The NFC-chip comprises a chip key pair. This chip key pair comprises apublic chip key and a private chip key. The public chip key is part ofthe protected data and is thus transferred 861 during thiscommunication.

The communication 430 of the public chip key to the server may be seenas the start of the clone detection. This communication may take placebefore the completion 212 of reading protected data, as indicated withthe second delay d402.

The server comprises a server key pair. This server key pair comprises apublic server key and a private server key. Preferably, the servercommunicates 431 the public server key and a challenge to the terminalbefore the completion of reading protected data.

The public chip key is provided 871 to the challenge generator by thesignature verification unit or alternatively by the protected datastorage. Wherein, in the latter case, the verification unit has tosignal the protected data comprises a correct signature or not. Thechallenge generator is configured for generating a challenge based on apublic chip key from a key chip pair on the NFC-chip. The challenge istransmitted 876 to communication unit for transmission to the NFC-chip.

The verification unit is configured for verifying genuineness of theNFC-chip based on a challenge response and the associated challenge. Theverification unit receives a challenge response 825 from thecommunication unit. The verification unit further receives 835 anassociated challenge from the challenge generator. The challengegenerator may comprise a storage for storing the separate challenges.The challenges may be associated via a session ID also present in thechallenge response.

This server may conform to the communication as specified in thesequence diagram of FIG. 2 or 4 or in the method of FIG. 6 b.

It should be noted that the figures are purely diagrammatic and notdrawn to scale. In the figures, elements which correspond to elementsalready described may have the same reference numerals.

It will be appreciated that the invention also applies to computerprograms, particularly computer programs on or in a carrier, adapted toput the invention into practice. The program may be in the form of asource code, an object code, a code intermediate source and an objectcode such as in a partially compiled form, or in any other form suitablefor use in the implementation of the method according to the invention.It will also be appreciated that such a program may have many differentarchitectural designs. For example, a program code implementing thefunctionality of the method or system according to the invention may besub-divided into one or more sub-routines. Many different ways ofdistributing the functionality among these sub-routines will be apparentto the skilled person. The sub-routines may be stored together in oneexecutable file to form a self-contained program. Such an executablefile may comprise computer-executable instructions, for example,processor instructions and/or interpreter instructions (e.g. Javainterpreter instructions). Alternatively, one or more or all of thesub-routines may be stored in at least one external library file andlinked with a main program either statically or dynamically, e.g. atrun-time. The main program contains at least one call to at least one ofthe sub-routines. The sub-routines may also comprise function calls toeach other. An embodiment relating to a computer program productcomprises computer-executable instructions corresponding to eachprocessing stage of at least one of the methods set forth herein. Theseinstructions may be sub-divided into sub-routines and/or stored in oneor more files that may be linked statically or dynamically. Anotherembodiment relating to a computer program product comprisescomputer-executable instructions corresponding to each means of at leastone of the systems and/or products set forth herein. These instructionsmay be sub-divided into sub-routines and/or stored in one or more filesthat may be linked statically or dynamically.

The carrier of a computer program may be any entity or device capable ofcarrying the program. For example, the carrier may include a datastorage, such as a ROM, for example, a CD ROM or a semiconductor ROM, ora magnetic recording medium, for example, a hard disk. Furthermore, thecarrier may be a transmissible carrier such as an electric or opticalsignal, which may be conveyed via electric or optical cable or by radioor other means. When the program is embodied in such a signal, thecarrier may be constituted by such a cable or other device or means.Alternatively, the carrier may be an integrated circuit in which theprogram is embedded, the integrated circuit being adapted to perform, orused in the performance of, the relevant method.

FIG. 9 schematically shows an embodiment of a computer program product,computer readable medium and/or non-transitory computer readable storagemedium 900 having a writable part 910 including a computer program 920,the computer program including instructions for causing a processorsystem to perform a method according to the invention.

It should be noted that the above-mentioned embodiments illustraterather than limit the invention, and that those skilled in the art willbe able to design many alternative embodiments without departing fromthe scope of the appended claims. In the claims, any reference signsplaced between parentheses shall not be construed as limiting the claim.Use of the verb “comprise” and its conjugations does not exclude thepresence of elements or stages other than those stated in a claim. Thearticle “a” or “an” preceding an element does not exclude the presenceof a plurality of such elements. The invention may be implemented bymeans of hardware comprising several distinct elements, and by means ofa suitably programmed computer. In the device claim enumerating severalmeans, several of these means may be embodied by one and the same itemof hardware. The mere fact that certain measures are recited in mutuallydifferent dependent claims does not indicate that a combination of thesemeasures cannot be used to advantage.

Examples, embodiments or optional features, whether indicated asnon-limiting or not, are not to be understood as limiting the inventionas claimed.

1. A method for communication with an NFC-chip of a user identificationdocument, comprising: a terminal obtaining protected data from theNFC-chip, wherein obtaining comprises verifying the integrity of theprotected data; and a server verifying genuineness of the NFC-chipcommunicating via the terminal.
 2. The method according to claim 1,wherein verifying genuineness of the NFC-chip is initiated before theterminal obtains the protected data.
 3. The method according to claim 1,wherein verifying genuineness of the NFC-chip comprises: the terminalreceiving a challenge from the server; the terminal transmitting thechallenge to the NFC-chip; and the terminal forwarding a response to thechallenge from the NFC-chip to the server; wherein the terminalreceiving the challenge is performed independently in time from theterminal transmitting the challenge.
 4. The method according to claim 1,wherein verifying genuineness of the NFC-chip comprises: the terminalforwarding a chip public key from a chip key pair on the NFC-chip to theserver for basing a challenge on the chip public key; a terminalreceiving the challenge and a server public key from a server key pairfrom the server; the terminal transmitting the challenge and the serverpublic key to the NFC-chip; and the terminal forwarding a response to achallenge from the NFC-chip to the server, wherein the challengeresponse is based on a shared key based on the server public key and achip private key of the chip key pair.
 5. A method for a terminalcommunicating with an NFC-chip of a user identification document,comprising: obtaining protected data from the NFC-chip; and forwardingcommunication between the NFC-chip and a server for verifyinggenuineness of the NFC-chip.
 6. The method according to claim 5, whereinforwarding communication between the NFC-chip and the server isinitiated before obtaining the protected data from the NFC-chip iscompleted.
 7. The method according to claim 5, wherein forwardingcommunication between the NFC-chip and the server comprises: receiving achallenge from the server; transmitting the challenge to the NFC-chip;and forwarding the challenge response from the NFC-chip to the server;wherein receiving the challenge from the server is performedindependently in time from transmitting the challenge to the NFC-chip.8. The method according to claim 5, wherein the forwarding communicationbetween the NFC-chip and the server comprises: forwarding a chip publickey from a chip key pair on the NFC-chip to the server for basing achallenge on the chip public key; receiving the challenge and a serverpublic key from a server key pair from the server; transmitting thechallenge and the server public key to the NFC-chip; and forwarding theresponse to the challenge from the NFC-chip to the server, wherein theresponse to the challenge is based on a shared key based on the serverpublic key and a chip private key of the chip key pair.
 9. A method fora server verifying genuineness of a user identification document thatincludes an NFC-chip, the method comprising: tracking the amount ofchallenges provided by the server to a terminal communicating with theNFC-chip; receiving a challenge response to a challenge from the serverfrom the terminal; verifying genuineness of the NFC-chip based on thechallenge response and the challenge; and providing a newly generatedchallenge to the terminal based on the tracking step.
 10. A method for aserver verifying genuineness of a user identification document thatincludes an NFC-chip, the method comprising: receiving a copy ofprotected data on the NFC-chip; verifying the protected data with adigital signature comprised in the protected data; receiving a chippublic key from a chip key pair on the NFC-chip for basing a challengeon the chip public key; transmitting the challenge and a server publickey from a server key pair from the server; and receiving a response toa challenge from the NFC-chip, wherein the response to the challenge isbased on a shared key based on the server public key and a chip privatekey of the chip key pair, wherein receiving the chip public key isinitiated before verifying the protected data.
 11. A terminalcomprising: a communication unit configured for communicating with aserver verifying genuineness of an NFC-chip of a user identificationdocument; a transceiver configured for communicating with the NFC-chip;and processing means configured for obtaining protected data of theNFC-chip and forwarding communication between the NFC-chip and theserver, wherein communication is forwarded before obtaining theprotected data is completed.
 12. The terminal according to claim 11,comprising a challenge storage configured for temporarily storing achallenge on the terminal, which challenge is used for determining thegenuineness of the NFC-chip.
 13. (canceled)
 14. (canceled)
 15. Acomputer program product comprising a computer readable medium havingcomputer readable code embodied therein, the computer readable codebeing configured such that, on execution by a suitable computer orprocessor, the computer or processor is caused to perform the method ofclaim 1.